b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n   KINDERGARTEN THROUGH 12TH GRADE\n     SCHOOLS\xe2\x80\x99 COLLECTION AND USE\n      OF SOCIAL SECURITY NUMBERS\n\n      July 2010   A-08-10-11057\n\n\n\n\nAUDIT REPORT\n\x0c                                                      Mis s io n\nBy c o n d u c tin g in d e p e n d e n t a n d o b je c tive a u d its , e va lu a tio n s a n d in ve s tig a tio n s ,\nwe in s p ire p u b lic c o n fid e n c e in th e in te g rity a n d s e c u rity o f S S A\xe2\x80\x99s p ro g ra m s a n d\no p e ra tio n s a n d p ro te c t th e m a g a in s t fra u d , wa s te a n d a b u s e . We p ro vid e tim e ly,\nu s e fu l a n d re lia b le in fo rm a tio n a n d a d vic e to Ad m in is tra tio n o ffic ia ls , Co n g re s s\na n d th e p u b lic .\n\n                                                    Au th o rity\nTh e In s p e c to r Ge n e ra l Ac t c re a te d in d e p e n d e n t a u d it a n d in ve s tig a tive u n its ,\nc a lle d th e Offic e o f In s p e c to r Ge n e ra l (OIG). Th e m is s io n o f th e OIG, a s s p e lle d\no u t in th e Ac t, is to :\n\n   \xef\x81\xad Co n d u c t a n d s u p e rvis e in d e p e n d e n t a n d o b je c tive a u d its a n d\n     in ve s tig a tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad P ro mo te e c o n o m y, e ffe c tive n e s s , a n d e ffic ie n c y with in th e a g e n c y.\n   \xef\x81\xad P re ve n t a n d d e te c t fra u d , wa s te , a n d a b u s e in a g e n c y p ro g ra m s a n d\n     o p e ra tio n s .\n   \xef\x81\xad Re vie w a n d m a ke re c o mm e n d a tio n s re g a rd in g e xis tin g a n d p ro p o s e d\n     le g is la tio n a n d re g u la tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad Ke e p th e a g e n c y h e a d a n d th e Co n g re s s fu lly a n d c u rre n tly in fo rm e d o f\n     p ro b le m s in a g e n c y p ro g ra m s a n d o p e ra tio n s .\n\n   To e n s u re o b je c tivity, th e IG Ac t e m p o we rs th e IG with :\n\n   \xef\x81\xad In d e p e n d e n c e to d e te rmin e wh a t re vie ws to p e rfo rm .\n   \xef\x81\xad Ac c e s s to a ll in fo rm a tio n n e c e s s a ry fo r th e re vie ws .\n   \xef\x81\xad Au th o rity to p u b lis h fin d in g s a n d re c o mm e n d a tio n s b a s e d o n th e re vie ws .\n\n                                                       Vis io n\nWe s trive fo r c o n tin u a l im p ro ve me n t in S S A\xe2\x80\x99s p ro g ra m s , o p e ra tio n s a n d\nm a n a g e m e n t b y p ro a c tive ly s e e kin g n e w wa ys to p re ve n t a n d d e te r fra u d , wa s te\na n d a b u s e . We c o m m it to in te g rity a n d e xc e lle n c e b y s u p p o rtin g a n e n viro n m e n t\nth a t p ro vid e s a va lu a b le p u b lic s e rvic e wh ile e n c o u ra g in g e mp lo ye e d e ve lo p me n t\na n d re te n tio n a n d fo s te rin g d ive rs ity a n d in n o va tio n .\n\x0c                                               SOCIAL SECURITY\nMEMORANDUM\n\nDate:      July 22, 2010                                                             Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Kindergarten Through 12th Grade Schools\xe2\x80\x99 Collection and Use of Social Security\n           Numbers (A-08-10-11057)\n\n\n           OBJ ECTIVE\n           Our objective was to assess kindergarten through 12th grade (K-12) schools\xe2\x80\x99 collection\n           and use of Social Security numbers (SSN) and the potential risks associated with\n           current practices.\n\n           BACKGROUND\n\n           Millions of children enroll in K-12 schools each year. To assist in this process,\n           K-12 schools may collect and use SSNs for various purposes. Although no single\n           Federal law regulates overall use and disclosure of SSNs by K-12 schools, the Privacy\n           Act of 1974, Social Security Act, and Family Educational Rights and Privacy Act of 1974\n           (FERPA), contain provisions that govern disclosure and use of SSNs. See Appendix B\n           for more information on the specific provisions of these laws. Additionally, the Office of\n           Management and Budget (OMB) issued a memorandum in 2007 on safeguarding\n           against and responding to disclosure of personally identifiable information, including\n           SSNs. 1 Federal agencies are required to reduce the volume of collected and retained\n           personally identifiable information to the minimum necessary, 2 including establishment\n           and implementation of plans to eliminate unnecessary collection and use of SSNs.3\n\n           We reviewed relevant State laws, policies, and practices regarding K-12 schools\xe2\x80\x99\n           collection and use of SSNs. We also contacted selected State educational agencies to\n           identify steps States have taken to limit K-12 schools\xe2\x80\x99 collection and use of SSNs. In\n\n\n           1\n            OMB, Safeguarding Against and Responding to the Breach of Personally Identifiable Information\n           (M-07-16), May 22, 2007.\n           2\n               Id. at 2.\n           3\n               Id. at Attachment 1, \xc2\xa7 B.2.a.\n\x0cPage 2 - The Commissioner\n\naddition, we identified incidents in which K-12 schools inadvertently and/or improperly\ndisclosed students\xe2\x80\x99 SSNs. See Appendix C for additional details regarding the scope\nand methodology of our review.\n\nRESULTS OF REVIEW\nDespite the increasing threat of identity theft, our review of State laws and school\npolicies and practices disclosed that K-12 schools\xe2\x80\x99 collection and use of SSNs was\nwidespread.4 We determined that many K-12 schools used SSNs as the primary\nstudent identifier or for other purposes, even when another identifier would have\nsufficed. In addition, there has been a growing trend among State Departments of\nEducation to establish longitudinal databases, which may include SSNs, of\nK-12 children in a State to track students\xe2\x80\x99 progress over time. While some State laws\nmay require that K-12 schools collect SSNs in some instances, we believe some do so\nas a matter of convenience\xe2\x80\x94because SSNs are unique identifiers and most students\nhave an SSN. However, we do not believe administrative convenience should ever be\nmore important than safeguarding children\xe2\x80\x99s personal information.\n\nWe believe the unnecessary collection and use of SSNs is a significant vulnerability for\nthis young population.5 Recent data indicate the number of children under age\n19 whose identities have been stolen is growing. This is particularly troubling given that\nsome of these students may not become aware of such activity until they apply for a\ncredit card or student loan. Because of the numerous incidences of identity theft and\nthe recognition that SSNs are linked to vast amounts of personal information, some\nStates have taken steps to limit the collection and use of SSNs. We are encouraged by\nthese efforts and believe that State and local educational systems should seek\nadditional ways to limit their collection and use of SSNs and implement stringent\ncontrols to protect SSNs when collected.\n\nK-12 SCHOOLS\xe2\x80\x99 COLLECTION AND USE OF SSNs\n\nWe determined that many K-12 schools used SSNs as primary student identifiers to\nhelp in recordkeeping and tracking students throughout their school years. For\nexample, we identified laws in 7 States 6 that required that K-12 schools obtain students\xe2\x80\x99\n\n\n\n\n4\n This issue was first discussed in a prior SSA OIG audit, State and Local Governments\xe2\x80\x99 Collection and\nUse of Social Security Numbers (A-08-07-17086), September 2007.\n5\n  For the 2009/2010 school year, the National Education Association (NEA) estimated there were more\nthan 49 million K-12 students in over 15,000 school districts nationwide. See NEA, Rankings &\nEstimates: Rankings of the States 2009 and Estimates of School Statistics 2010, December 2009.\n6\n  The States were Alabama, Arkansas, Florida, Georgia, Kentucky, Virginia, and West Virginia. Although\nthese States require an SSN for enrollment, they also may provide alternative numbers for individuals\nwho refuse to provide their SSN or who are not eligible for an SSN.\n\x0cPage 3 - The Commissioner\n\nSSNs and schools in at least 26 other States 7 that collected students\xe2\x80\x99 SSNs at\nregistration, even though no State law required that they do so. 8 We also identified\nK-12 schools that included students\xe2\x80\x99 SSNs on such documents as enrollment\napplications, student profiles, graduation forms, transcripts, tests, athletic participation\nforms, and educational research data. In addition, we identified an elementary school\nposter contest in which students\xe2\x80\x99 SSNs were requested on entry forms attached to the\nback of posters.9 We believe such practices increase the risk of SSN misuse and\nunnecessarily subject students to the possibility of identity theft.\n\nIn addition to K-12 schools\xe2\x80\x99 collection and use of SSNs, there is a growing trend among\nState Departments of Education to establish longitudinal databases of all K-12 children\nwithin a State to track students\xe2\x80\x99 progress over time, according to a recent university\nstudy. 10 The study found that privacy protections for these databases were generally\nlacking in the majority of States. Furthermore, the study reported that at least\n32 percent of States warehoused children\xe2\x80\x99s SSNs, and over 80 percent of States\napparently failed to have data retention policies and were likely to hold student\ninformation indefinitely. In addition, several States outsourced the data-warehousing\nfunction without any protections for privacy in vendor contracts. While we recognize\nthere are some legitimate reasons for data collection in K-12 educational systems (for\nexample, tracking school improvement), we question the need for States to collect\nSSNs, especially when States also assign a unique identification number to students in\nthese databases. Until States stop collecting SSNs and redact existing SSNs, we\nencourage States to implement stringent security measures when establishing such\ndatabases.\n\nThe coordinator of the Statewide Longitudinal Data Systems Grant Program 11 told us\nthe U.S. Department of Education does not instruct States to collect SSNs when\nestablishing longitudinal databases. Although 28 (56 percent) States collect SSNs, he\nagreed they may not need to continue this practice because all States now assign a\nunique identification number to students in these databases. According to the grant\nprogram coordinator, the primary reason some States collect K-12 students\xe2\x80\x99 SSNs is to\nallow States to track students as they move to post-secondary education systems and\nenter the workforce. While he acknowledged that privacy protections may vary among\n\n7\n The States were Connecticut, Delaware, Hawaii, Illinois, Iowa, Kansas, Louisiana, Maine, Maryland,\nMassachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Hampshire, Ohio, Oklahoma,\nOregon, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, Wisconsin, and Wyoming.\n8\n    We do not suggest that these are the only States in which K-12 schools collect SSNs at registration.\n9\n Although instructions state that SSNs may be redacted on the copy of the entry form affixed to the back\nof the poster, we question the need to obtain such information before award and prize selection.\n10\n  Joel R. Reidenberg et al., Fordham Law School Center on Law and Information Policy, Children\xe2\x80\x99s\nEducational Records and Privacy, October 2009.\n11\n  This U.S. Department of Education grant program is designed to aid State education agencies in\ndeveloping and implementing longitudinal data systems to enhance the ability of States to efficiently and\naccurately manage, analyze, and use education data, including individual student records.\n\x0cPage 4 - The Commissioner\n\nStates, he believes that most States understand the importance of having safeguards in\nplace to protect personally identifiable information and are working to do so.\n\nPOTENTIAL RISKS ASSOCIATED WITH COLLECTING AND USING SSNs\n\nK-12 schools\xe2\x80\x99 collection and use of SSNs entail certain risks. Each time a student\nprovides his/her SSN, the potential for a dishonest individual to unlawfully gain access\nto, and misuse, the SSN increases. Identity thieves often target children because they\nhave clean credit histories, and their records may be used for years before they realize\ntheir identity has been used for criminal activities. Since 2005, 40 school-related\nbreaches of children\xe2\x80\x99s personally identifiable information (including SSNs) have been\nreported.12 Because many K-12 schools still use SSNs as the primary student identifier,\nstudents\xe2\x80\x99 exposure to such activity remains. We believe the following examples\nillustrate K-12 students\xe2\x80\x99 risk of exposure to identity theft and fraud.\n\n\xe2\x80\xa2    In March 2009, 8 individuals were indicted and arrested for breaking into about\n     50 public schools in Puerto Rico and stealing personal identification documents\n     (including SSN cards) from as many as 12,000 students, teachers, and school\n     administrators. The documents were stolen for sale to illegal immigrants interested\n     in using the identities of U.S. citizens. The documents were sold as sets (SSN cards\n     and birth certificates), originals or copies, starting at $150 or $40, respectively.\n\n\xe2\x80\xa2    In December 2009, a North Carolina school system accidentally sent out about\n     5,000 postcards with students\xe2\x80\x99 SSNs printed on the front.\n\n\xe2\x80\xa2    In September 2009, 15 boxes containing hundreds of students\xe2\x80\x99 confidential records\n     (including birth certificates and SSN cards) were dumped on the sidewalk in front of\n     their former New York high school.\n\n\xe2\x80\xa2    In October 2008, more than 400 identification cards were recalled from a Maryland\n     high school when officials realized that student SSNs had been printed on some of\n     them, even though the school system assigned students distinct identification\n     numbers. The school system also appears to use SSNs in student lunch codes.\n\n\xe2\x80\xa2    In November 2009, documents from a Texas school district\xe2\x80\x99s lunch program for\n     2003 to 2006 were left at a television news station with a note attached claiming the\n     documents were found at a recycling center. Students\xe2\x80\x99 SSNs were visible on the\n     documents.\n\n\n\n\n12\n   As of December 2008, only 44 States required notification of security breaches involving personal\ninformation. As such, all breaches may not have been reported.\n\x0cPage 5 - The Commissioner\n\nSOME STATES HAVE TAKEN STEPS TO LIMIT SSN COLLECTION AND USE\n\nThe increase in identity theft and the recognition that SSNs are linked to vast amounts\nof personally identifiable information have led some States to limit SSN collection and\nuse in K-12 schools.13 We identified four States that had enacted laws to prohibit\nK-12 schools or State educational agencies from using SSNs as primary student\nidentifiers.14 In addition, we identified four other States that had policies and practices\nthat restricted the collection and/or use of SSNs in K-12 schools.15 Education officials in\nthese States confirmed that there was no need to use SSNs as student identifiers when\nother unique identifiers were sufficient to track K-12 students. The following examples\nillustrate some of the steps States have taken to limit SSN collection and use in\nK-12 schools.\n\n\xe2\x80\xa2     No public educational institution in Rhode Island, including the State Department of\n      Elementary and Secondary Education, may assign an individual identification\n      number to a student that is identical to, or incorporates, the individual\xe2\x80\x99s SSN. In\n      addition, no public educational institution may allow the public display of a student\xe2\x80\x99s\n      SSN or any four or more consecutive numbers contained in the individual\xe2\x80\x99s SSN for\n      any purpose.\n\n\xe2\x80\xa2     While a school board or governing body of a private school may assign a unique\n      identification number to each K-12 student in Wisconsin, they may not assign a\n      number that is identical to, or incorporates, the student\xe2\x80\x99s SSN. The identification\n      number is intended to travel with the student throughout his/her academic career\n      and is used for all required State reporting. This eliminates the need for school\n      districts to use SSNs as student identifiers in their computer systems.\n\n\xe2\x80\xa2     Nebraska does not have a law that prohibits SSNs as student identifiers. However,\n      school districts do not use SSNs as such because the Nebraska Department of\n      Education assigns a Student ID, which is a 10-digit, randomly assigned number.\n      Furthermore, Nebraska does not store SSNs in its data warehouse. An education\n      official told us SSNs are not a universally used identifier for school purposes\n      because it is too much trouble to protect the SSN at the State level.\n\n\xe2\x80\xa2     While there is no law in North Dakota prohibiting the use of SSNs as student\n      identifiers, the Department of Public Instruction avoids using SSNs as student\n      identifiers because of sensitivity issues. An education official told us the unique\n      student identifier it uses sufficiently tracks students through the K-12 system, thus\n      eliminating the need to use SSNs.\n\n13\n   We do not intend to suggest that the States discussed below are the only States that have taken steps\nto limit SSN collection and use in K-12 schools.\n14\n  The States were New Hampshire, Ohio, Rhode Island, and Wisconsin. However, such laws may not\nprevent K-12 schools from collecting and using SSNs for other purposes.\n15\n     The States were Nebraska, North Dakota, Washington, and Wyoming.\n\x0cPage 6 - The Commissioner\n\nIn previous audits,16 we identified instances in which colleges and universities used\nSSNs as the primary student identifier or for other purposes. However, numerous\nincidences of identity theft led some schools to reconsider the practice. In addition,\nsome States enacted laws to regulate college and university use of SSNs. We are\nencouraged by those efforts and believe that State and local governments should afford\nthe same protections to students in K-12 schools.\n\nCONCLUSION AND RECOMMENDATIONS\nDespite the potential risks associated with using SSNs as primary student identifiers,\nmany K-12 schools continue this practice. While we recognize that SSA cannot prohibit\nStates or K-12 schools from collecting and using SSNs as student identifiers or for other\npurposes, we believe SSA can help reduce the threat of identity theft and SSN misuse\nby encouraging States and K-12 schools to reduce unnecessary collection of SSNs and\nimprove protections and safeguards when collected. We recommend that SSA:\n\n1. Coordinate with State Departments of Education and K-12 school systems to inform\n   the education community about the potential risks associated with using SSNs as\n   student identifiers or for other purposes.\n\n2. Encourage State Departments of Education and K-12 schools to reduce\n   unnecessary collection and use of SSNs and implement stringent safeguards to\n   protect SSNs when collected.\n\n3. Promote the best practices of States and K-12 schools that have taken steps to limit\n   SSN collection and use.\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in\nAppendix D.\n\n\n\n\n                                                       Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n\n\n\n16\n  SSA OIG, Universities\xe2\x80\x99 Use of Social Security Numbers as Student Identifiers in Regions IV and X\n(A-08-05-15034 and A-08-05-15033), December 2004 and March 2005, respectively.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Federal Laws That Govern Disclosure and Use of the\n             Social Security Number\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                  Appendix A\n\nAcronyms\nC.F.R.        Code of Federal Regulations\nFERPA         Family Educational Rights and Privacy Act of 1974\nK-12          Kindergarten Through 12th Grade\nNEA           National Education Association\nOIG           Office of the Inspector General\nOMB           Office of Management and Budget\nPub. L. No.   Public Law Number\nSSA           Social Security Administration\nSSN           Social Security Number\nU.S.C.        United States Code\n\x0c                                                                                      Appendix B\n\nFederal Laws That Govern Disclosure and Use\nof the Social Security Number\nThe following Federal laws establish a general framework for disclosing and using the\nSocial Security number (SSN).\n\nThe Privacy Act of 1974 1\n\nThe Privacy Act of 1974 (the Privacy Act) indicates, in part, that it is unlawful for any\nFederal, State, or local government agency to deny any individual any right, benefit, or\nprivilege provided by law because of such individual\xe2\x80\x99s refusal to disclose his/her SSN,\nunless the disclosure is required by Federal statute or is to any Federal, State, or local\nagency maintaining a system of records in existence and operating before\nJanuary 1, 1975, such disclosure was required under statute or regulation adopted\nbefore such date to verify the identity of an individual.2 Further, under Section 7(b) of\nthe Privacy Act, 3 any Federal, State, or local government agency requesting that an\nindividual disclose his/her SSN must inform the individual whether the disclosure is\nvoluntary or mandatory, by what statutory or other authority the SSN is solicited and\nwhat uses will be made of the SSN.\n\nThe Social Security Act\n\nThe Social Security Act provides, in part, that \xe2\x80\x9cSocial security account numbers and\nrelated records that are obtained or maintained by authorized persons pursuant to any\nprovision of law enacted on or after October 1, 1990, shall be confidential, and no\nauthorized person shall disclose any such social security account number or related\nrecord.\xe2\x80\x9d4 The Social Security Act also provides, in part, that \xe2\x80\x9c. . . [w]hoever discloses,\nuses, or compels the disclosure of the social security number of any person in violation\nof the laws of the United States; shall be guilty of a felony\xe2\x80\xa6.\xe2\x80\x9d 5 The Social Security Act\nauthorized certain State and local agencies to use the SSN for certain purposes and\nallows, or in certain instances requires, such agencies to require individuals to furnish\ntheir SSNs for such purposes.6\n1\n    Pub. L. No. 93-579, 5 U.S.C. 522a.\n2\n    Pub. L. No. 93-579 \xc2\xa7 7(a), 5 U.S.C. 552a, note (Disclosure of social security number).\n3\n    Id.\n4\n    42 U.S.C. \xc2\xa7 405(c)(2)(C)(viii).\n5\n    42 U.S.C. \xc2\xa7 408(a)(8).\n6\n    42 U.S.C. \xc2\xa7 405(c)(2)(C)(i), (ii), (v), (vi), (D), and (E).\n\n\n                                                           B-1\n\x0cThe Family Educational Rights and Privacy Act of 1974 7\n\nThe Family Educational Rights and Privacy Act of 1974 (FERPA) protects the privacy of\nstudent education records. FERPA applies to those schools that receive funds under\nan applicable program of the U.S. Department of Education.8 Under FERPA, an\neducational institution must have written permission from the parent or eligible student\nto release any personally identifiable information (which includes SSNs) from a\nstudent\xe2\x80\x99s education record. 9 FERPA does, however, provide certain exceptions in\nwhich a school is allowed to disclose records without consent.10 These exceptions\ninclude disclosure without consent to: other school officials who have a legitimate\neducational interest in the information, officials of institutions where the student is\nseeking to enroll/transfer, parties to whom the student is applying for financial aid, the\nparent of a dependent student, appropriate parties in compliance with a judicial order or\nlawfully issued subpoena, or health care providers in the event of a health or safety\nemergency. 11\n\n\n\n\n7\n    20 U.S.C. \xc2\xa7 1232g.\n8\n    34 C.F.R. \xc2\xa7 99.1(a)(2000).\n9\n  20 U.S.C. \xc2\xa7 1232g(b). FERPA gives parents certain rights with respect to their children\xe2\x80\x99s education\nrecords. 34 C.F.R. \xc2\xa7 99.10(a). These rights transfer to the child when the child reaches the age of 18 or\nattends an institution of postsecondary education. 20 U.S.C. \xc2\xa7 1232g(d). Children who have been\ntransferred rights are referred to as \xe2\x80\x9celigible students.\xe2\x80\x9d 34 C.F.R. \xc2\xa7 99.5(a).\n10\n     20 U.S.C. \xc2\xa7 1232g(b)(1).\n11\n     Id.\n\n\n                                                  B-2\n\x0c                                                                       Appendix C\n\nScope and Methodology\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   Reviewed relevant laws from all 50 States regarding kindergarten through 12th (K-12)\n    schools\xe2\x80\x99 use of Social Security numbers (SSN).\n\n\xe2\x80\xa2   Reviewed Internet Websites of K-12 State educational agencies. We also selected\n    and reviewed a sample of local K-12 school system Websites because of the large\n    number of such entities.\n\n\xe2\x80\xa2   Researched child identity theft and occurrences of school-related SSN exposure\n    using Internet search engines.\n\n\xe2\x80\xa2   Discussed development of the Statewide Longitudinal Data Systems Grant Program\n    with the U.S. Department of Education.\n\n\xe2\x80\xa2   Reviewed selected studies and articles regarding K-12 schools\xe2\x80\x99 collection and use of\n    SSNs.\n\n\xe2\x80\xa2   Contacted selected State educational agencies to determine policies and practices\n    regarding K-12 schools\xe2\x80\x99 collection and use of SSNs.\n\nOur review of internal controls was limited to gaining an understanding of the collection\nand use of SSNs by K-12 schools. The Social Security Administration entity reviewed\nwas the Office of the Deputy Commissioner for Operations. We conducted our audit\nfrom November 2009 through April 2010 in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objective.\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                        SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:      July 16, 2010                                                         Refer To:   S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      James A. Winn /s/\n           Executive Counselor to the Commissioner\n\nSubject:   Office of the Inspector General (OIG) Draft Report, "Kindergarten Through 12th Grade\n           Schools\xe2\x80\x99 Collection and Use of Social Security Numbers" (A-08-10-11057)--INFORMATION\n\n\n           Thank you for the opportunity to review and comment on the draft report. We appreciate\n           OIG\xe2\x80\x99s efforts in conducting this review. Attached is our response to the report findings and\n           recommendations.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                       D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, "KINDERGARTEN THROUGH 12TH GRADE SCHOOLS\xe2\x80\x99 COLLECTION\nAND USE OF SOCIAL SECURITY NUMBERS (SSN)" (A-08-10-11057)\n\nWe agree there are many risks associated with schools using SSNs as primary identifiers. We\nappreciate your acknowledging that we cannot prohibit the practice. Nevertheless, we do\nactively discourage use of SSNs. We describe some of our efforts for doing so in our response\nbelow.\n\nRecommendation 1\n\nCoordinate with State Departments of Education and K-12 school systems to inform the\neducation community about the potential risks associated with using SSNs as student identifiers\nor for other purposes.\n\nResponse\n\nWe agree. Our website Social Security.gov already provides publications, policy, frequently asked\nquestions (FAQ), and best practices for protecting SSNs. More information is available in these links:\n\nhttp://www.socialsecurity.gov/pubs/10002.html#protect\nhttp://www.socialsecurity.gov/phila/ProtectingSSNs.htm\nhttp://www.socialsecurity.gov/kc/id_practices_best.htm\nhttps://secure.ssa.gov/apps10/poms.nsf/lnx/0100201070\nhttp://ssa-custhelp.ssa.gov/app/answers/detail/a_id/1122/kw/protect%20ssn\nhttp://ssa-custhelp.ssa.gov/app/answers/detail/a_id/1649/kw/protect%20ssn\n\nIn addition, in response to the September 2007 OIG Final Report, "State and Local Governments\'\nCollection and Use of Social Security Numbers" (A-08-07-17086), we are preparing articles promoting\nthese web pages to state and local governments as part our ongoing educational outreach efforts.\n\nRecommendation 2\n\nEncourage State Departments of Education and K-12 schools to reduce unnecessary collection\nand use of SSNs and implement stringent safeguards to protect SSNs when collected.\n\nResponse\n\nWe agree. See response to recommendation 1.\n\n\n\n\n                                                     D-2\n\x0cRecommendation 3\n\nPromote the best practices of States and K-12 schools that have taken steps to limit SSN\ncollection and use.\n\nResponse\n\nWe agree. See response to recommendation 1.\n\n\n\n\n                                              D-3\n\x0c                                                                     Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kimberly Byrd, Director, Atlanta Audit Division\n\n   Jeff Pounds, Audit Manager, Birmingham Office of Audit\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Kathy Yawn, Senior Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-08-10-11057.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                         Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'